Account Numbers On Periodic Statements: Can We Truncate?
Written by Reginald Watson, Regulatory Compliance Counsel, NAFCU
The recent discovery of one of the largest data breaches in history adds to a laundry list of breaches at major corporations just this year. In an anxious attempt to protect their member's sensitive financial information, many credit unions have asked the NAFCU Compliance team whether the periodic statement requirements found in Regulation E permit the truncation of account numbers.
Surprisingly, there is not a lot of federal regulatory guidance with respect to the truncation of account numbers on statements and notices given to members. Section 1005.9(a)(4) of Regulation E allows credit unions to truncate account numbers on receipts available at electronic terminals, such as ATMs. In the preamble to the Federal Reserve Board's version of Regulation E, which implemented the receipt requirement, the Board addressed ways in which to identify consumers conducting transactions at electronic terminals. Rather than requiring financial institutions to "uniquely" identify the consumer in the same way it would on a periodic statement, the Board allowed financial institutions to truncate the number on the receipt to help "protect consumers and financial institutions against fraudulent withdrawals." 61 Fed. Reg. 19662, 19666 (May 2, 1996).
Unfortunately, the preamble to the rule offers no commentary to indicate that the Federal Reserve Board contemplated similar concern when requiring financial institutions to disclose account numbers on periodic statements. The rule itself appears to require the credit union to disclose the entire account number on a periodic statement and is silent about whether this could be accomplished by truncation:
(b) Periodic statements. For an account to or from which electronic fund transfers can be made, a financial institution shall send a periodic statement for each monthly cycle in which an electronic fund transfer has occurred; and shall send a periodic statement at least quarterly if no transfer has occurred. The statement shall set forth the following information, as applicable:
(2) Account number. The number of the account.
12 CFR § 1005.9(b)(2).
Interestingly, while section 1693d(c) of the Electronic Funds Transfers Act requires providing a periodic statement, the account number is not one of the statutory requirements. Overall, whether a truncated account numbers is sufficient on periodic statements is debatable. However, credit unions have other obligations related to protecting member data. In this modern age where the risk of cybersecurity theft competes with the manual fraud risk of a stolen ATM receipt, it seems that protecting the member's personal information on an electronically available periodic statement is just as important. So, does that mean that credit unions are risking a possible regulatory compliance violation of Regulation E by truncating account numbers on periodic statements to protect members' personal information? It is tough to say.
In the absence of such guidance, credit unions may have to continue making risk-based business decisions with regard to the periodic statement disclosure. Meanwhile, in response to a number of recent data breaches, NAFCU has been increasingly active in calling for a comprehensive national data security standard, including this recent letter on the Marriott, Inc. data breach.